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IN THE CLAIMS 

Amended claims follow. Insertions are underlined, while deletions are 
struck out. The status of each claim is included prior to each heading. 

1 . (Currently Amended) A method for detecting modifications to risk 
assessment scanning caused by an intermediate device, comprising: 

(a) initiating a risk assessment scan on a target from a remote source utilizing a 
network; 

(b) determining whether the risk assessment scan involves an intermediate 
device coupled between the target and the remote source; 

(c) receiving results of the risk assessment scan from the target utilizing the 
network; and 

(d) notifying an administrator if it is determined that the risk assessment scan 
involves the intermediate device , wherein additional operations are carried 
out to impr ove a risk assessment in view of the presence of the intermediate 
device coupled between the tamet and the remote source . 

2. (Original) The method as recited in claim 1, wherein the intermediate device 
includes a router. 

3. (Original) The method as recited in claim I, wherein a plurality of 
procedures are utilized to determine whether the risk assessment scan 
involves the intermediate device. 

4. (Original) The method as recited in claim 3, wherein at least one of the 
procedures includes determining a port list associated with the risk 
assessment scan. 

5. (Original) The method as recited in claim 4, wherein the at least one of the 
procedures further includes determining whether a value of a flag is different 
for communication attempts using at least two ports on the port list. 



PACE 5/18 * RCVD AT 1 1/23/2004 2:03:27 PM [Eastern Standard Time] * SVR:USPTO-EFXRF-1/2 * DNIS:8729306 * CSID:408 671 4660 * DURATION (mm-ss>:06.10 



Nov 23 04 11:11a 



SVIPG 



408 971 4GG0 



p.B 



-3- 



6. (Original) The method as recited in claim 5, wherein the flag includes an 
Ip_rtl flag. 

7. (Original) The method as recited in claim 5, wherein the flag includes a 
tcpwin flag. 

8. (Original) The method as recited in claim 5, wherein the communications 
include connection attempts between the remote source and the target 
utilizing the network. 

9. (Original) The method as recited in claim 5, wherein the at least one of the 
procedures further includes indicating that the risk assessment scan involves 
the intermediate device if the value of the flag is different for the 
communication attempts using the at least two ports on the port Jist. 

10. (Original) The method as recited in claim 3, wherein at least one of the 
procedures includes transmitting a first request for content to the target 
utilizing the network, and transmitting a second request for a cached version 
of the content to the target utilizing the network. 

1 1 . (Original) The method as recited in claim 1 0, wherein the cached content is 
requested from the target utilizing a via tag. 

12. (Original) The method as recited in claim 10, wherein the at least one of the 
procedures further includes analyzing responses to the first and second 
requests. 

13. (Original) The method as recited in claim 1 2, wherein the at least one of the 
procedures further includes indicating that the risk assessment scan involves 
the intermediate device based on the analysis. 
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1 4. (Original) The method as recited in claim 1 3, wherein the at least one of the 
procedures further includes indicating that the risk assessment scan involves 
the intermediate device if the responses to the requests are different. 

15. (Original) The method as recited in claim 3, wherein at least one of the 
procedures includes transmitting a request without specifying a host header 
value. 

1 6. (Original) The method as recited in claim 1 5, wherein the at least one of the 
procedures further includes identifying an error message in response to the 
request. 

1 7. (Original) The method as recited in claim 1 6, wherein the at least one of the 
procedures includes indicating that the risk assessment scan involves the 
intermediate device if the response includes the error message. 

1 8. (Currently Amended) A computer program product for detecting 
modifications to risk assessment scanning caused by an intermediate device, 
comprising: 

(a) computer code for initiating a risk assessment scan on a target from a remote 
source utilizing a network; 

(b) computer code for determining whether the risk assessment scan involves an 
intermediate device coupled between the target and the remote source; 

(c) computer code for receiving results of the risk assessment scan from the 
target utilizing the network; and 

(d) computer code for notifying an administrator if it is determined that the risk 
assessment scan involves the intermediate device; 

wherein additional operations are carried out to improve a risk assessment in 
view of the presence of the intermediate device coupled between the target 
and the remote source . 

1 9. (Original) The computer program product as recited in claim 1 8, wherein the 
intermediate device includes a router. 
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20. (Original) The computer program product as recited in claim 1 8, wherein the 
intermediate device includes a proxy server. 

2 1 . (Original)The computer program product as recited in claim 1 8, wherein a 
plurality of procedures are utilized to determine whether the risk assessment 
scan involves the intermediate device. 

22. (Original)The computer program product as recited in claim 2 1 , wherein at 
least one of the procedures includes determining a port list associated with 
the risk assessment scan. 

23. (Original)The computer program product as recited in claim 22, wherein the 
at least one of the procedures further includes determining whether a value of 
a flag is different for communication attempts using at least two ports on the 
port list, 

24. (Original) The computer program product as recited in claim 23, wherein the 
flag includes an ip_ttl flag. 

25. (Original) The computer program product as recited in claim 23, wherein the 
flag includes a tcp_win flag. 

26. (Original) The computer program product as recited in claim 23, wherein the 
communications include connection attempts between the remote source and 
the target utilizing the network. 

27. (Original)The computer program product as recited in claim 23, wherein the 
at least one of the procedures further includes indicating that the risk 
assessment scan involves the intermediate device if the value of the flag is 
different for the communication attempts using the at least two ports on the 
port list. 
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28. (Original)The computer program product as recited in claim 21 , wherein at 
least one of the procedures includes transmitting a first request for content to 
the target utilizing the network, and transmitting a second request for a 
cached version of the content to the target utilizing the network. 

29. (Original) The computer program product as recited in claim 28, wherein the 
cached content is requested from the target utilizing a via tag. 

30. (Original) The computer program product as recited in claim 28, wherein the 
at least one of the procedures further includes analyzing responses to the first 
and second requests. 

3 1 . (Original) The computer program product as recited in claim 30, wherein the 
at least one of the procedures further includes indicating that the risk 
assessment scan involves the intermediate device based on the analysis. 

32. (Original) The computer program product as recited in claim 3 1 , wherein the 
at least one of the procedures further includes indicating that the risk 
assessment scan involves the intermediate device if the responses to the 
requests are different. 

33. (Original)The computer program product as recited in claim 21, wherein at 
least one of the procedures includes transmitting a request without specifying 
a host header value. 

34. (Original) The computer program product as recited in claim 33, wherein the 
at least one of the procedures further includes identifying an error message in 
response to the request. 

35. (Original) The computer program product as recited in claim 34, wherein the 
at least one of the procedures includes indicating that the risk assessment 
scan involves the intermediate device if the response includes the error 
message. 
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36. (Currently Amended) A system for detecting modifications to risk 
assessment scanning caused by an intermediate device, comprising: 

(a) logic for initiating a risk assessment scan on a target from a remote source 
utilizing a network; 

(b) logic for determining whether the risk assessment scan involves an 
intermediate device coupled between the target and the remote source; 

(c) logic for receiving results of the risk assessment scan from the target 
utilizing the network; and 

(d) logic for notifying an administrator if it is determined that the risk 
assessment scan involves the intermediate device; 

wherein additional oper ations are carried out to improve a risk assessment in 
view of the p resence of the intermediate device coupled between the targ et 
and the remote source . 

37. (Currently Amended) A method for detecting modifications to risk 
assessment scanning caused by a proxy server, comprising: 

(a) initiating a risk assessment scan on a target from a remote source utilizing a 
network; 

(b) executing a plurality of procedures to determining whether the risk 
assessment scan involves a proxy server coupled between the target and the 
remote source; 

(c) said procedures utilizing a plurality of parameters selected from the group 
consisting of an ip_ttl flag, a tcp_win flag, a via tag, and a host header value; 

(d) receiving results of the risk assessment scan from the target utilizing the 
network; 

(e) flagging the results of the risk assessment scan if at least one of the 
procedures indicates that the risk assessment scan involves a proxy server 
coupled between the target and the remote source; and 

(0 notifying an administrator if the results of the risk assessment scan are 
flagged; 
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wherein additional operations are carried out to improve a risk assessment in 
view of the presence of the proxv server coupled between the target and the 
remote source . 

38. (Currently Amended) A computer program product for detecting 
modifications to risk assessment scanning caused by a proxy server, 
comprising: 

(a) computer code for initiating a risk assessment scan on a target from a remote 
source utilizing a network: 

(b) computer code for executing a plurality of procedures to determining 
whether the risk assessment scan involves a proxy server coupled between 
the target and the remote source; 

(c) said procedures utilizing a plurality of parameters selected from the group 
consisting of an i p tt 1 flag, a tcp_win flag, a via tag, and a host header value; 

(d) computer code for receiving results of the risk assessment scan from the 
target utilizing the network; 

(e) computer code for flagging the results of the risk assessment scan if at least 
one of the procedures indicates that the risk assessment scan involves a 
proxy server coupled between the target and the remote source; 

(f) computer code for notifying an administrator if the results of the risk 
assessment scan are flagged^ 

wherein additional operations are carried out to improve a risk assessment in 
view of the presence of the proxy server coupled between the target and the 
remote source . 

39. (Original - Renumbered) The method as recited in claim 1, wherein the 
intermediate device includes a proxy server. 
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